Privacy Disclosure Notice Template for England and Wales

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Privacy Disclosure Notice?

A Privacy Disclosure Notice is a fundamental document required by UK data protection legislation for organizations processing personal data in England and Wales. It should be implemented when collecting personal data from individuals and must be readily available before data processing begins. The notice includes information about data collection purposes, legal bases for processing, data sharing practices, retention periods, and individual rights. This document helps organizations comply with transparency obligations under the UK GDPR and Data Protection Act 2018, while building trust with data subjects through clear communication about data handling practices.

Frequently Asked Questions

Is a Privacy Disclosure Notice legally binding in England and Wales?

Yes, Privacy Disclosure Notices are legally required under the UK GDPR and Data Protection Act 2018 in England and Wales. Organizations must provide this notice when collecting personal data, and failure to comply can result in ICO fines of up to £17.5 million or 4% of annual turnover. The notice creates legal obligations for transparency and must be accurate and complete.

Can the ICO fine my company if my Privacy Disclosure Notice is missing or incomplete?

Yes, the ICO can impose significant fines for missing or inadequate Privacy Disclosure Notices under UK GDPR Article 83. Penalties can reach £17.5 million or 4% of annual global turnover, whichever is higher. The ICO considers transparency failures serious breaches and has issued substantial fines for inadequate privacy notices.

How long must I keep Privacy Disclosure Notice records under England and Wales law?

Under the Data Protection Act 2018, you must maintain records of your Privacy Disclosure Notices for as long as you process personal data plus a reasonable period afterward. The ICO recommends keeping documentation for at least 6 years after data processing ends to demonstrate compliance during potential investigations or audits.

How is a Privacy Disclosure Notice different from a Privacy Policy in the UK?

A Privacy Disclosure Notice is provided at the point of data collection and focuses on specific processing activities, while a Privacy Policy is a broader document covering all organizational data practices. Under UK GDPR, the notice must be concise and immediate, whereas privacy policies can be more comprehensive and accessed separately through website links.

How long does it typically take to create a compliant Privacy Disclosure Notice?

Creating a basic Privacy Disclosure Notice takes 2-4 hours using templates, but comprehensive notices for complex organizations can require 1-2 days of work. Time depends on data processing complexity, number of legal bases, and third-party sharing arrangements. Legal review adds another 2-4 hours for professional verification of UK GDPR compliance.

Can I use the same Privacy Disclosure Notice for different data collection activities?

No, each data collection context requires a specific Privacy Disclosure Notice under UK GDPR Article 13-14. Different processing purposes, legal bases, or data sharing arrangements need separate notices. Using generic notices fails the transparency requirement and can result in ICO enforcement action for non-compliance with UK data protection law.

Must I include specific contact details for data protection queries in my notice?

Yes, UK GDPR Article 13 requires Privacy Disclosure Notices to include contact details for data protection inquiries. You must provide your organization's contact information and, if applicable, your Data Protection Officer's details. The ICO expects clear, accessible contact methods for individuals to exercise their data protection rights under UK law.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Privacy Disclosure Notice

A Privacy Disclosure Notice is your organization's legal obligation to inform individuals about how you collect, use, and protect their personal data under England and Wales law. This document ensures compliance with the UK GDPR and Data Protection Act 2018 by providing clear, accessible information about your data processing activities before you begin collecting personal information.

When do you need this document?

You must provide a Privacy Disclosure Notice whenever your organization collects personal data directly from individuals or processes their information for the first time. This includes when customers fill out contact forms on your website, employees provide HR information, patients register at healthcare facilities, or students enroll in educational programs. The notice must be available at the point of data collection, whether that's online through website privacy policies, in physical forms at reception desks, or during telephone interactions. Public authorities also require these notices when collecting information through freedom of information requests or public service delivery.

Key legal considerations

Your Privacy Disclosure Notice must contain specific mandatory information under UK GDPR Article 13 and 14. This includes identifying your organization as the data controller, specifying the types of personal data collected, explaining the purposes and legal basis for processing under Article 6 grounds such as consent, contract performance, or legitimate interests. You must detail any third parties who will receive the data, explain retention periods with clear justification, and outline individuals' rights including access, rectification, erasure, and portability. The notice should address any automated decision-making or profiling activities and provide clear contact information for your Data Protection Officer where applicable. Special consideration is required for sensitive personal data processing under Article 9, which demands explicit consent or other specific legal conditions.

Legal requirements in England and Wales

Under England and Wales jurisdiction, your Privacy Disclosure Notice must comply with the UK GDPR as implemented by the Data Protection Act 2018, which replaced EU GDPR following Brexit. The Information Commissioner's Office (ICO) enforces these requirements and can impose significant penalties for non-compliance, including fines up to £17.5 million or 4% of annual turnover. The Privacy and Electronic Communications Regulations 2003 impose additional requirements for electronic marketing and cookie disclosures that must be integrated into your notice. If you're a public authority, the Freedom of Information Act 2000 creates additional transparency obligations that should be referenced. The Human Rights Act 1998, particularly Article 8 protecting private and family life, provides the underlying legal framework for data protection rights. Your notice must be written in plain English, easily accessible, and regularly updated to reflect changes in processing activities or legal requirements.

GOVERNING LAW

Applicable law

This Privacy Disclosure Notice is drafted to comply with England and Wales law. Key legislation includes:

UK GDPR: The UK General Data Protection Regulation - Primary legislation governing data protection in the UK post-Brexit, setting out fundamental principles for personal data processing

DPA 2018: Data Protection Act 2018 - The UK's implementation of data protection laws, complementing and working alongside the UK GDPR

PECR 2003: Privacy and Electronic Communications Regulations 2003 - Specific rules for electronic communications, including rules about cookies, marketing calls, emails and texts

Freedom of Information Act 2000: Legislation providing public access to information held by public authorities, relevant if the organization is a public body

Human Rights Act 1998: Particularly Article 8 which enshrines the right to respect for private and family life, home and correspondence

ICO Guidance: Official guidance documents from the Information Commissioner's Office, providing practical interpretation of data protection requirements

EDPB Guidelines: European Data Protection Board guidelines which, while not binding post-Brexit, remain influential in UK data protection practice

Data Protection Principles: Seven key principles under UK GDPR Article 5 including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and storage limitation

Lawful Bases: Six legal bases for processing under UK GDPR Article 6: consent, contract, legal obligation, vital interests, public task, and legitimate interests

Special Category Data: Additional requirements under Article 9 for processing sensitive personal data such as health, racial, religious, or biometric information

Individual Rights: Rights granted to individuals including access, rectification, erasure, portability, and objection to processing

International Transfers: Requirements and safeguards for transferring personal data outside the UK, including adequacy decisions and appropriate safeguards

Data Security: Technical and organizational measures required to ensure appropriate security of personal data

Retention Periods: Requirements for establishing and documenting how long personal data will be kept and justification for retention periods

Complaints Procedure: Process for handling data protection related complaints and individuals' right to lodge complaints with the ICO

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it